Chapter
13
Managing users and groups
The following topics are provided: ! Managing users (page 110) ! Managing groups (page 114)
Managing users
BMC Atrium SSO provides basic user and group management features with the internal LDAP server. These features allow an administrator to manage users, groups, and memberships in the groups.
BMC Atrium SSO is configured to use an internal LDAP for user authentication (default). While not recommended for large-scale deployments, the internal database can be used for small deployments, demonstrations, and other Proof-Of- Concept (POC) work. For larger deployments, BMC recommends that you use an external authentication server, such as another LDAP server.
From the User page, the administrator can create, delete, and manage group memberships.
To access the User page, navigate to the following location
Access Control > BmcRealm link > Subjects tab > User tab
Adding users
New users can only be created when you are using the internal LDAP server for authentication. If an external source is used for authentication, new users must be created within that external system.
NOTE
If special characters, such as comma ( , ) , semi-colon ( ; ), or plus sign ( + ) are used in the user ID, the backslash (\) must precede the special character. For example, Baldwin\,bob.
When creating a new user, each field that is marked with an asterisk is a required field.
To add a new user
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Click New.
3 In the ID field, enter a unique identifier for the new user. This value is used as the user ID when the user logs in.
Chapter 13 Managing users and groups 111 Managing users 6 In the User Status field, verify that the Active radio button is selected (default).
7 Click OK.
The name attributes (First, Full, and Last) can be provided to BMC products to help identify user accounts by using terms that are more user-friendly. The actual use of these attributes, though, is dependent on the BMC product.
Searching for users
If the number of users in the Available list is too large to find the user that you want to modify, use the search function. The asterisk (*) returns all user accounts. Enter part of the user ID to refine the user account list.
For example, the pattern, “b*”, returns users starting with the letter "b" (case- insensitive) such as "bob" and "Baldwin".
Deleting users
User accounts can only be deleted if BMC Atrium SSO is using the internal LDAP server for user authentication needs.
To delete users
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Select the check box next to each user account in the User list that should be
deleted.
3 Click Delete.
4 Click Save.
Modifying user accounts
User accounts can be edited and disabled (blocked access) from the Edit User page. This page is accessible by clicking on the user name link in the User list.
Changing user passwords
To change a user’s password
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Select the user link that you want modify.
3 In the Password field, click Edit.
This action launches another page where the user’s password can be changed.
Disabling and enabling user accounts
The user account can be disabled or enabled by changing the selection of User Status radio buttons.
To enable a user account
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Select the user link that you want modify.
3 In the User Status field, click the Active radio button.
To disable a user account
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Select the user link that you want modify.
3 In the User Status field, click the Inactive radio button.
When a user account is disabled, the user cannot authenticate without losing any of the user attributes, such as group memberships. A user loses group
memberships when the user account is deleted.
Adding and removing group memberships
A user is added to a group from the Group tab, however, the Group tab can be accessed from the Edit User page.
To add a group membership to a user account
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Select the user link that you want modify.
3 Click the Group tab.
4 Select a group from the Available list.
5 Click Add.
Chapter 13 Managing users and groups 113 Managing users
To remove a group membership from a user account
1 Navigate to the User tab:
Access Control > BmcRealm link > Subjects tab > User tab
2 Select the user link that you want modify.
3 Click the Group tab.
4 Select a group from the Available list.
5 Click Remove.
Alternatively, click Remove All to remove all of the available groups from the user account.
6 Click Save.
Viewing user sessions
To view user sessions
1 Log on to the Administrator console.
2 Select the Sessions tab.
Terminating user sessions
To terminate an active user session
1 Log on to the Administrator console.
2 Select the Sessions tab.
3 Select the check box associated with the user session that you want to terminate.
4 Click Invalidate Session.
IMPORTANT
Care should be exercised to not accidentally terminate the session that is used to access the console or sessions that are used by BMC agents. These agent sessions use the following naming convention:
BMCJEEAgent@host:port or
Terminating these sessions will, at best, close the console the administrator is using or, at worst, prevent users from accessing the BMC products that the agent is protecting.
Managing groups
BMC Software products can use the group membership capabilities of the BMC Atrium SSO system to provide authorization of users as well as authentication. If a BMC Software product does use the group memberships of the BMC Atrium SSO system, then that product's documentation must be consulted to determine which groups to privileges mapping.
To access the Group page, navigate to the following location
Access Control > BmcRealm link > Subjects tab > Group tab
Predefined groups
BMC Atrium SSO provides predefined groups to help with the Administrator privileges that some BMC Software products might require. For example, the
BmcSearchAdmin group provides privileges that allow a user to connect to the server to perform identity searches.
NOTE
Care should be exercised when assigning this group as these elevated privileges allow greater access to BMC Atrium SSO than is normally provided.
Creating groups
To create a new group
1 Navigate to the Group page:
Access Control > BmcRealm link > Subjects tab > Group tab
2 Click New.
3 Enter a new, unique name for the group.
4 Click OK.
Normally, BMC products install the groups that they need managed into BMC Atrium SSO as part of their installation. However, a situation might arise in which a group might need to be created (or re-created).
Chapter 13 Managing users and groups 115 Managing groups
To delete a group
1 Navigate to the Group page:
Access Control > BmcRealm link > Subjects tab > Group tab
2 Select the check box for the group that you want to delete.
3 Click Delete.
If too many groups are visible within the Group list to efficiently find the groups that you want to delete, use the search function to filter out undesired groups. For example, by changing the search filter to "D", the group IDs that start with the letter "d" (case-insensitive) are displayed.
Adding users to groups
Multiple users can be assigned to a group from the Group page.
To assign a group membership
1 Navigate to the Group page:
Access Control > BmcRealm link > Subjects tab > Group tab
2 Click on the group name link.
3 Click the User tab.
4 Select a user from the Available list.
5 Click Add.
Alternatively, you can add all of the users by clicking Add All.
6 Click Save.
The membership change is immediately put into effect.
IMPORTANT
Care should be exercised when adding users to a group, such as the Predefined groups, so that elevated privileges are not accidentally assigned to a user. For example, BmcSearchAdmin has privileges to perform searches and BmcAgents has privileges to read configuration information.
Removing users from groups
Users can be removed from a group from the Group page.
To remove a user from a group
1 Navigate to the Group page:
Access Control > BmcRealm link > Subjects tab > Group tab
2 Click on the group name link.
4 Select a user from the Selected list.
Alternatively, you can remove all of the users from the group by clicking the Remove All button.
5 Click Remove.
6 Click Save.
The membership change is immediately put into effect.
To remove all users from a group
1 Navigate to the Group page:
Access Control > BmcRealm link > Subjects tab > Group tab
2 Click on the group name link. 3 Click the User tab.
4 Click Remove All.
5 Click Save.
Chapter 14 Other Administrator Tasks 117
Chapter
14
Other Administrator Tasks
The following topics are provided:
! Configuring session parameters (page 118) ! Cleaning up BMC product agents (page 118) ! Managing authentication modules (page 119) ! Managing authentication chains (page 120)
Configuring session parameters
The following parameters are configurable for BMC Atrium SSO: ! Maximum Session Time (default is 120 minutes)
! Idle Time (default is 30 minutes) ! Maximum Sessions (default is 5)
! Maximum Caching Time (default is 3 minutes)
To modify session parameters
1 Navigate to the Dynamic Attributes tab:
Configuration tab > Global tab > Session link > Dynamic Attributes tab
2 Modify your attributes.
3 Click Save.
Any committed changes takes effect immediately. A server restart is not necessary.
Cleaning up BMC product agents
If a product has become unusable and the uninstall utility can no longer be used to perform an orderly cleanup and de-integration with BMC Atrium SSO, you might need to perform a manual cleanup.
NOTE
If all products within the JEE server no longer need authentication or you want to permanently block access from the JEE server, deleting the agent accounts
effectively terminates access by the agent. To do so, both the J2EE agent and the user must be deleted from the root realm.
The names for the agent and user are based on the host name and port of the URL for the BMC product server where the agent resides. This name uses the following template:
BMCJEEAgent@host:port or
Chapter 14 Other Administrator Tasks 119 Managing authentication modules
Deleting agent accounts
To delete an agent account
1 Navigate to the J2EE in the Top Level Realm:
Access Control > Top Level Realm link > Agents > J2EE
2 In the Agents list, select the check box for the J2EE agent that you want to delete.
3 Click Delete.
4 Click the Sessions tab.
5 Click the check box for the user session that has the same name as the J2EE agent (if one exists).
6 Click Invalidate Session.
Managing authentication modules
The basic building block of authentication in BMC Atrium SSO is the
authentication module. These modules specify the type of authentication (LDAP, RSA SecurID, and so on.) as well as deployment-specific values such as host names and port numbers.
To access the Module Instances page, navigate to
Access Control > BmcRealm link > Authentication > Module Instances link Module instances can be created, edited, and deleted from the Module Instances table.
! New creates a new module instance.
! Delete removes the selected module instance.
! Clicking the module name navigates you to a page where you can modify the module instance.
Creating Modules
To create a new module
1 Navigate to the module instance page:
Access Control > BmcRealm link > Authentication > Module Instances link
2 Click New.
3 Type a unique name for the module instance.
The name should be composed of alphanumeric characters and a few punctuation characters such as the underscore, but no spaces, commas, or ampersands.
5 Click OK to create an unconfigured instance and return to the Authentication page.
6 Edit the module. See “Editing modules”.
The module’s configuration must be edited before it can be used within an authentication chain.
Editing modules
To edit a module
1 Navigate to the Module Instance page:
Access Control > BmcRealm link > Authentication > Module Instances link
2 Click the name of the module instance.
A page is launched that allows you to configure module attributes.
NOTE
See the sections on configuring that particular type of module. For example, “Using LDAP for authentication”
Deleting modules
To delete a module
1 Remove the module from all authentication chains.
See “Editing chains” on page 121 for the information on removing a module from an authentication chain.
2 Navigate to the module instance page:
Access Control > BmcRealm link > Authentication > Module Instances link
3 Select the module instance check box.
4 Click Delete.
NOTE
Failure to remove the module from all authentication chains generates an error similar to the following:
Chapter 14 Other Administrator Tasks 121 Managing authentication chains
To navigate to the Authentication Chaining page
Access Control > BmcRealm link> Authentication > Authentication Chaining link
Creating chains
To create a new authentication chain
1 Navigate to the Authentication Chaining page:
Access Control > BmcRealm link> Authentication > Authentication Chaining link
2 Click New.
This action launches a new page as shown in the following figure:
3 Type the name for this new chain into the Name field
4 Click OK.
5 On the properties page, configure the module instance for the new chain.
The chain’s properties page launches after the new chain is created. See “Editing chains” for information on manipulating the modules within the chain.
Editing chains
On the chain properties page, the Modules table allows you to add, remove, and reorder the modules, as well as select the criteria used to affect the flow of processing and to determine the overall authentication status of the chain.
To edit a chain
1 Navigate to the Authentication Chaining page:
Access Control > BmcRealm link> Authentication > Authentication Chaining link
2 Click the Authentication Chaining link.
3 Click the link of the authentication chain that you want to edit.
Alternatively, after creating a new chain, the properties page for the chain is automatically displayed.
4 Click Save.
NOTE
Currently, BMC Atrium SSO does not use the Successful Login URL field. BMC recommends that these fields be left blank to prevent negative impact to the BMC Atrium SSO server.
Deleting chains
Before deleting a chain, verify that BmcRealm is not actively using the chain for authentication.
To check the authentication chain that is being used
1 Navigate to the BMCRealm Authentication page: Access Control > BmcRealm link > Authentication
2 Verify the name of the chain that is displayed in Organization Authentication Configuration field.
This is the chain that is currently being used.
3 If the chain that you want to delete is being used, change the Organization Authentication Configuration field to a different chain.
NOTE
If the chain is in use when it is deleted, an alternate chain is randomly selected.
To delete a chain
1 Navigate to the BMCRealm Authentication page: Access Control > BmcRealm link > Authentication
2 Click the Authentication Chaining link.
3 Select the check box of the chain you want to delete.
4 Click Delete.
Adding modules to chains
To add a new module instance to the chain
1 Navigate to the Authentication Chaining page:
Access Control > BmcRealm link> Authentication > Authentication Chaining link
2 Click Add.
A new row is appended to the module instances table configured with default values.
3 In the Instance column, click the drop down menu to change the default module value.
! Alternatively, in the Criteria column, click the drop down menu to change the default module value.
Chapter 14 Other Administrator Tasks 123 Managing authentication chains
! Optional: This module might authenticate the user. Processing continues regardless of success or failure.
The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user.
The fields within the Options columns are used to pass extra configuration items to the authentication module when used within the chain, such as enabling debug logging. BMC Atrium SSO does not currently use this feature. Refer to the
applicable OpenSSO documents for further information.
Deleting modules from chains
To delete a module instance from a chain
1 Navigate to the Authentication Chaining page:
Access Control > BmcRealm link> Authentication > Authentication Chaining link
2 Select the name of the chain that you want to remove.
3 On the chain's property page, select the check box of each module instance that you want to remove.
4 Click Remove to delete the module instance from the chain.
Editing a module instance in a chain
To change a module instance within a chain
1 Navigate to the Authentication Chaining page:
Access Control > BmcRealm link> Authentication > Authentication Chaining link
2 In either the Instance or Criteria column, click the drop down menu to select a new value.
3 Click Save.
Reordering modules in chains
Instead performing numerous add and remove operations on the module table to switch the order that the module instances are processed, use the Reorder option. On this page, module instances can be selected and moved up or down the chain. The selected module instance can be moved to the top or bottom of the list by clicking Move to Top or Move to Bottom.
To reorder the modules in a chain
1 Navigate to the Authentication Chaining page:
2 Click the name of the chain that you want to alter.
3 Click Reorder.
4 Click the Module Instance that you want to move.
5 Click on Move Up, Move Down, Move to Top, or Move to Bottom to change the order in which the module instances are processed.
Appendix A Policy file additions for external Tomcat installations 125
Appendix